user1226395
Reputation: 11
GWT SSL + Jetty + Same origin policy = confusion
I am using GWT and want to enable SSL on one html page(module). I have multiple modules and one such module is secured with following configuration in my web.xml
<security-constraint>
<web-resource-collection>
<web-resource-name></web-resource-name>
<url-pattern>/Secure.html</url-pattern>
<http-method>GET</http-method>
</web-resource-collection>
<user-data-constraint>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
</security-constraint>
I have another module (a login page), from which I call Secure.html to pass users' login information over SSL. I have following questions:
- Am I violating same origin policy by calling Secure.html module from http (the non secured login page)?
- How do I add a connector for SSL in the embedded jetty? I am using GWT eclipse plugin. I hate it though. When I try to access the secured Secure.html page, I get 403 - forbidden in dev mode. I don't want to use SSL for all my modules (
-server :ssl). But if I deploy the app on an external server tomcat, it works fine. - Am I doing it right? Must be better approach than this?
Upvotes: 1
Views: 582
Answers (1)
Chris Cashwell
Reputation: 22859
1) You're definitely violating same-origin policy by changing the protocol.
2) You don't need to have the connector for the embedded Jetty...what you see there is (and should be) identical to what you'd see over HTTPS. SSL is a matter of putting your content behind a secure server. IMO this is a production concern, not a development concern.
Upvotes: 1
Related Questions
- GWT with SSL security
- How to enable HTTPS in GWT's Jetty?
- Secure GWT application with https
- GWT same origin policy workaround?
- Set Access-Control-Allow-Origin in Jetty
- CORS with Embedded Jetty HTTPS
- GWT SSLContext.setDefault(SSLContext) Jetty exception
- work around gwt same origin policy
- How to set up SSL
- SOP issue behind reverse proxy